Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Thursday, November 13, 2008

[MoBP] Spidering authenticated applications

Related to yesterday's post is a further enhancement to the way the Spider handles form submission. In the new version, you can control how Burp handles login forms, separately from the configuration for forms in general. You can tell the Spider to perform one of four different actions when a login form is encountered:

You can ignore the login form, if you don't have credentials, or are concerned about spidering sensitive protected functionality.

You can prompt for guidance interactively, enabling you to specify credentials on a case-by-case basis.

You can treat login forms as any other form, using the configuration and auto-fill rules you have configured for those.

You can automatically submit specific credentials in every login form encountered.

In the last case, any time Burp encounters a form containing a password field, it will submit your configured password in that field, and will submit your configured username in the text input field whose name most looks like a username field. The UI for configuring application login looks like this: